Plaso in a Docker container
To install Docker see: https://docs.docker.com/get-docker
Obtaining a Plaso Docker image
From Docker Hub
$ docker pull log2timeline/plaso
$ git clone https://github.com/log2timeline/plaso $ cd plaso/config/docker $ docker build -f Dockerfile .
Testing your Plaso Docker image
To test your Plaso Docker image:
$ docker run log2timeline/plaso log2timeline.py --version plaso - log2timeline version 20200717
Copying the Plaso Docker image to a non-Internet connected system
Figure out the name of the Docker image you want to run, using the IMAGE ID (Docker images will list all the images you have installed) if you’ve built from the Dockerfile. Use “log2timeline/plaso” if you’ve just made the image from Docker Hub.
First, export the image:
$ docker save <CONTAINER_NAME> | gzip -c > saved_docker_image.tgz
Then copy saved_docker_image.tgz to an external disk.
Finally, on the other system, and from the mounted external disk, run:
$ zcat saved_docker_image.tgz | docker load
Run Plaso from your new Docker image
Figure out the name of the Docker image you want to run (see before)
First start the extraction with log2timeline. Should your evidence files/images should be present on the host, and not in the container (which is the default scenario), you’ll have to set up a bridge between the two. For example, if you store your current evidences to analyse in /data/evidences/, you could tell log2timeline to generate the Plaso storage file as /data/evidences.plaso this way:
$ docker run -v /data/:/data log2timeline/plaso log2timeline --storage-file /data/evidences.plaso /data/evidences
This way your Plaso file will also be stored on the host filesystem.
Note that if you are running SELinux you likely need to add the
flag. Also see: Configure the selinux label.
Note that if you are running Windows adding a “Mapped Network Drive” might not work with WSL. Also see: Mapped drives as shared drives with linux containers: This shared resource does not exist. #2163.
Next step is to run analysis with psort:
$ docker run -v /data/:/data log2timeline/plaso psort -w /data/timeline.log /data/evidences.plaso Datetime,timestamp_desc,source,source_long,message,parser,display_name,tag,store_number,store_index .... Processing completed. *********************************** Counter ************************************ Stored Events : 251 Events Included : 251 Duplicate Removals : 23 --------------------------------------------------------------------------------
Last step, forensication, is left to the reader.
The entry_point of the Docker container is plaso-switch.sh. It understands the following commands, and runs the appropriate programs:
log2timeline or log2timeline.py
pinfo or pinfo.py
psort or psort.py
psteal or psteal.py
If you’re not interested in running any of these, and just want to drop to a prompt inside your Plaso container, you can run:
docker run -t -i --entrypoint=/bin/bash -v /data:/data log2timeline/plaso